ICO scheme of delegations 


The delegation of: 


- Regulatory functions under the Data 
Protection Act 2018, the Freedom of 
Information Act 2000 and other 
information rights legislation 


- Financial and procurement decisions 
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Authorisation of delegations to officers and staff 


Paragraph 6 of schedule 12 to the Data Protection Act 2018 (Carrying out 
of the Commissioner’s functions by officers and staff) provides that: 


6(1) The functions of the Commissioner are to be carried out by the 
deputy Commissioner or deputy commissioners if - 


(a) there is a vacancy in the office of the Commissioner, or 
(b) the Commissioner is for any reason unable to act. 


(2) When the Commissioner appoints a second or subsequent 
deputy commissioner, the Commissioner must specify which 
deputy commissioner is to carry out which of the 
Commissioner’s functions in the circumstances referred to in 
sub-paragraph (1). 


(3) A function of the Commissioner may, to the extent authorised 
by the Commissioner, be carried out by any of the 
Commissioner’s officers or staff. 


I, John Edwards, the Information Commissioner, appointed pursuant to 
Paragraph 6(3) of Schedule 12 of the Data Protection Act 2018 and 
Section 18 of the Freedom of Information Act 2000, hereby specify that 
my officers and staff are authorised to exercise my functions as 
designated in the following scheme of delegation dependant on grade and 
role as described and subject to management decisions on the allocation 
of work. 


Unless stated otherwise, all delegations are to the grade and role as 
described or to grades above. 


This scheme of delegation replaces any authorities previously given in 
respect of the legislative and other functions included. 


The following staff members have been appointed as, and are currently, 
Deputy Commissioners pursuant to Paragraph 5(1) of Schedule 12 of the 
Data Protection Act 2018 and I confirm that they are to remain appointed 
as such: 


e James Dipple-Johnstone, Chief Regulatory Officer 
e Paul Arnold, Deputy Chief Executive (Chief Operating Officer) 
e Steve Wood, Executive Director (Regulatory Strategy) 


e Stephen Bonner, Executive Director (Regulatory Futures and 
Innovation) 


The Deputy Commissioners are all also members of the ICO’s 
Management Board. 


In circumstances where the General Counsel is empowered to carry out a 
function set out in the scheme of delegations in their capacity of a level H 
(Executive Team) employee of the ICO, they will only exercise that 
function having satisfied themselves that there is no conflict or potential 
conflict between the exercise of that function and their obligations as 
General Counsel. 


I have set out in Annex 1 to the scheme of delegation which of these 
Deputy Commissioners would exercise the Commissioner’s powers in 
circumstances described in paragraph 6(1) of Schedule 12 of the Data 
Protection Act 2018. 


More widely, I have delegated responsibility for the day-to-day 
administrative leadership and performance of the ICO, including 
delegation of the Accounting Officer responsibilities so far as that is 
possible, to the Deputy Chief Executive Officer (Chief Operating Officer). 


I have also delegated responsibility for the day-to-day regulatory 
leadership, regulatory stakeholder management and regulatory outcomes 
of the ICO to the Chief Regulatory Officer. 


The Scheme of Delegation should be read with those responsibilities of 
the Chief Operating Officer and Chief Regulatory Officer in mind. 


[SIGNED] 17 January 2022 


John Edwards Date 


Information Commissioner 


ICO grade structure and example job roles 


E Information Commissioner ~ 
Level H 


e Deputy Commissioners 
e Member of Executive Team 


Level G2 


e Director 


e Head of Department 


e Group Manager 
e Solicitors 


e Team Manager 
e Senior Policy Officer 


e Lead Case Officer 
e Criminal Investigations Officer 
e Lead Auditor 


e Case Officer 


e Administrative roles 


1. Delegation of the Commissioner’s regulatory functions 
provided for under The Data Protection Act 2018 (DPA) 


(Note: where relevant, this also includes powers set out in Regulation (EU) 
2016/679 of the European Parliament and of the European Council (the General 
Data Protection Regulation, GDPR), as amended by the Data Protection, Privacy 
and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019. 
These are referred to as “UK GDPR”) 


obligations 


Reference Title Level of delegation 
Whole act As a data controller, Level D 
responding to data subject 
rights in accordance with the 
GDPR. 
DPA Part 3 As a data controller, Level D 
responding to data subject 
rights in accordance with the 
GDPR 
DPA Section Accreditation of certification Level G 
17 providers 
DPA Section Exercise of rights through the | Level B 
51 Commissioner 
DPA Section Prior consultation with the Level E 
65 and UK Commissioner 
GDPR article 
36(1)-(3), 
Article 
57(1)(1), 
Article 
58(3)(a) 
DPA Section Advising Parliament, Any advice provided to 
115(3)(a) government and other Parliament as a whole: Level 
institutions and bodies on G2 (excluding Legal Directors) 
processing Any other advice: Level B 
DPA Section To issue opinions on the Deputy Commissioner 
115(3)(b) Commissioner's initiative or on 
request 
DPA Section Inspection of personal data in | Level F 
119 accordance with international 


Reference 


Title 


Level of delegation 


DPA Section 
119A and UK 
GDPR Article 
46(2)(d), 
Article 46(3), 
Article 
57(1)(j), and 
Article 


Specifying standard data 
protection clauses 


Deputy Commissioner 


58(3)(i) 
DPA Section Taking appropriate steps to Level C 
120(1) and develop international co- 
UK GDPR operation, provide mutual 
Article 50 assistance, engage relevant 

stakeholders, and promote 

exchange and documentation 

of legislation and practice 
DPA Section Contributing to activities of Level C 
120(2A) international organisations 

with data protection functions 
DPA Section Functions as directed by the Level G2 
120(3) Secretary of State to give 

effect to an international 

obligation 
DPA Section Assisting a British overseas Level G2 (for any functions not 
120(4) territory authority covered by other delegations 

within this Scheme) 

DPA Section Data sharing code preparation | Deputy Commissioner 
121 
DPA Section Direct marketing code Deputy Commissioner 
122 preparation 
DPA Section Age-appropriate design code Deputy Commissioner 
123 preparation 
DPA Section Data protection and journalism | Deputy Commissioner 
124 code preparation 
DPA Section Approval of codes prepared Deputy Commissioner 
125 under section 121 to 124 
DPA Section Publishing an issued code Deputy Commissioner 
126 


Reference 


Title 


Level of delegation 


DPA Section Other codes of practice Deputy Commissioner 
128 
DPA Section Consensual audits Level D 
129 and UK 
GDPR Article 
58(1)(b) 
DPA Section Records of national security Level G2 
130(2) and certificates 
(5) 
DPA Section Producing and publishing, Level G2 
133 amending, consulting on, 
laying before Parliament, 
guidance about privileged 
communications 
DPA Section Fees for services Deputy Commissioner 
134 
DPA Section Manifestly unfounded or Deputy Commissioner 
135 and UK excessive requests by data 
GDPR Article subjects etc 
57(4) 
DPA Section Guidance about fees Deputy Commissioner 
136 and UK 
GDPR Article 
57(4) 
DPA Section Providing the Secretary of Level G2 
137(5) State with information about 
expenses incurred by the ICO 
upon request 
DPA Section Reviewing and making Deputy Commissioner 
138(2) proposals about fees 
regulations 
DPA Section Producing an annual report to | Reserved for the 
139(1) Parliament, laying it and Commissioner. See Annex 1. 
publishing it. 
DPA Section Producing, laying and Reserved for the 
139(3) publishing other reports to Commissioner. See Annex 1. 


Parliament. 
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Reference Title Level of delegation 
DPA Section Information notices Level E 
142 and UK 
GDPR Article 
58(1)(a) 
DPA Section Information orders Level F 
145 
DPA Section Assessment notices Level E 
146 and UK 
GDPR 
58(1)(b) 
DPA Section Enforcement notices Level E 
149 and UK 
GDPR Article 
58(2)(c)-(h) 
DPA Section Seeking the leave of the court | Level G 
152(1) to issue an enforcement notice 
concerning the special 
purposes 
DPA Section Enforcement notices: Level E 
153 cancellation and variation 
DPA Section Penalty notices Level G 
155 (Articles 
58(2) (i) & 83 
GDPR) 
DPA Section Seeking the leave of the court | Level G 
156(1) to issue a penalty notice 
concerning the special 
purposes 
DPA Section Fixed penalties for non- Notices of Intent: Level D 
158(1), (4)- compliance with charges Monetary Penalty Notices: 
(6) regulations Level E 
DPA Section Producing and publishing Level G2 
160(1) guidance about the use of 
notices 
DPA Section Producing and publishing Level G2 
160(2) guidance about the use of 


other functions 
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Reference Title Level of delegation 
DPA Section Altering, consulting on and Level G2 
160(8)-(11) laying guidance about 
Regulatory action. 
DPA Section Approval of first guidance Deputy Commissioner 
161 about regulatory action 
DPA Section Complaints by data subjects Level C 
165 and UK 
GDPR Article 
57(1)(f), 
Article 77(2) 
DPA Section The special purposes Level G2 
174(3)-(5) 
DPA Section Provision of assistance in Deputy Commissioner 
175 special purposes proceedings 
DPA Section Guidance about seeking Deputy Commissioner 
177 redress against media 
organisations 
DPA Section Review of the processing of Deputy Commissioner 
178 personal data for the purposes 
of journalism 
DPA Section Responding to the Secretary of | Deputy Commissioner 
182(2) State on consultation on draft 
regulations 
DPA Section Responding to Secretary of Deputy Commissioner 
189(5) State on consultation on 
representation of data subjects 
DPA Section Responding to Secretary of Deputy Commissioner 
191(5) State on consultation on 
framework for data processing 
by government 
DPA Section Prosecution Level F (Lawyers) 
197 
DPA Section Producing and publishing, Level G 
200 altering, consulting on, laying, 
guidance on how regard will be 
had to PACE Codes of Practice 
DPA Schedule | Reviewing a decision as Level G2 


5, para 2 


accreditation authority 


12 


Reference 


Title 


Level of delegation 


DPA Schedule 
5, para 4 


Appointment of members of 
the appeal panel in relation to 
accreditation authorities 


Deputy Commissioner 


DPA Schedule 


Appointment of Deputy 


Reserved for the 


12, para Commissioners Commissioner. 
5(1)(a) 

DPA Schedule | Appointment of staff Level E 

12, para 

5(1)(b) 

DPA Schedule | Determining terms and Level G2 

12, para 5(2)- | conditions of service, pensions 

(3) of staff 

DPA Schedule | Authentication of the seal of Deputy Commissioner 
12, para 7 the Commissioner 

DPA Schedule | Payment of fees and sums to Level G2 

12, para Treasury 

10(1) 

DPA Schedule | Preparation etc of accounts Reserved for the 
12, para 11 Commissioner. 
DPA Schedule | Monitoring and enforcing Parts | Level D 

13, para 3 and 4 

1(1)(a) 

DPA Schedule | Promoting public awareness Level E 

13, para and understanding of data 

1(1)(b) and processing under Parts 3 and 4 

UK GDPR 

Article 

57(1)(a), (d) 

DPA Schedule | Advising Parliament, Level B 

13, para government and other 

1(1)(c) and institutions and bodies on 

UK GDPR processing under Parts 3 and 4 

Article 

57(1)(c) 

DPA Schedule | Promoting awareness of Level D 

13, para controllers of obligations under 

1(1)(d) Parts 3 and 4 


13 


Reference Title Level of delegation 
DPA Schedule | Providing information to data Level D 
13, para subjects about exercise of 
1(1)(e) and rights under Parts 3 and 4, 
UK GDPR and co-operate with foreign 
Article supervisory authorities to do 
57(1)(e) so 
DPA Schedule | Co-operate with foreign Level D 
13, para supervisory authorities for 
1(1)(f) consistency of application and 
enforcement of Data 
Protection Convention, sharing 
information, mutual assistance 
DPA Schedule | Conduct investigations on Level D 
13, para application of Parts 3 and 4, 
1(1)(g) and including on basis of 
UK GDPR information received from 
Article foreign supervisory authorities 
57(1)(h) or another public authority 
DPA Schedule | Notifying controllers and/or Level D 
13, para 2(a processors of alleged 
infringement of Parts 3 and 4 
DPA Schedule | To issue warnings Level E 
13, para 2(b 
DPA Schedule | To issue reprimands Level C 
13, para 2(c 
and UK GDPR 
Article 
58(2)(b) 
DPA Schedule | To issue opinions on the Deputy Commissioner 
13 para 2(d) Commissioner's initiative or on 
and Article request 
58(3)(b) 
DPA Schedule | Co-operation between the Level G 
14, para 6 Commissioner and foreign 
designated authorities 
DPA Schedule | Assisting persons resident Level G 


14, para 7 


outside the UK with requests 
under Article 14 of the 
Convention 


14 


Reference Title Level of delegation 

DPA Schedule | Assisting UK residents with Level G 

14, para 8 requests under Article 8 of the 
Convention 

DPA Schedule | Powers of entry and inspection | Level D 

15 and UK 

GDPR Article 

58(1)(e)-(f) 

DPA Schedule | Issuing a notice of intent fora | Level G 

16, para 3 penalty notice 

DPA Schedule | Varying a penalty notice Level G 

16, para 7 

DPA Schedule | Cancelling a penalty notice Level G 

16, para 8 

DPA Schedule | Enforcing a penalty notice Level G 

16, para 9 


Schedule 21, 
para 9 and UK 
GDPR Article 
47, Article 
57(1)(s), 
Article 
58(3)(j) 


Considering and authorising 
binding corporate rules 


Deputy Commissioner 
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2. Delegation of the Commissioner’s regulatory functions 
provided for under Regulation (EU) 2016/679 of the European 


Parliament and of the European Council (the General Data 


Protection Regulation, GDPR), as amended by the Data 
Protection, Privacy and Electronic Communications 


(Amendments etc) (EU Exit) Regulations 2019 (“UK GDPR”) 


Note: powers from the UK GDPR which are also included in the Data Protection 


Act 2018 are included in the previous section of this scheme. 


Reference 


Title 


Level of Delegation 


Article 58(8) 


Adopting standard contractual 
clauses for controller-processor 
and processor-sub-processor 
agreements 


Deputy Commissioner 


Article 30(4) 


Requesting access to a record of 
processing activity 


Level C 


Article 35(4) 


Establishing and publishing a list 
of processing operations subject 
to a DPIA requirement 


Deputy Commissioner 


Article 35(5) 


Establishing and publishing a list 
of processing operations for 
which a DPIA is not required 


Deputy Commissioner 


Article 36(4) 
and (4A) 


Responding to Secretary of 
State, National Assembly for 
Wales, Scottish Parliament, 
and/or Northern Ireland 
Assembly on prior consultation 
concerning legislative and 
regulatory measures 


Deputy Commissioner 


(6), Article 
58(3)(d) 


sectoral codes of conduct, and 
issuing draft sectoral codes of 
conduct 


Article 40(5), | {Encouraging development of Level D 
Article 57(1)(m)jand considering sectoral codes 

of conduct 
Article 40(5), Registering and publishing Level G 


Article 40(5), 
Article 57(1)(m) 


Approving sectoral codes of 
conduct 


Deputy Commissioner 
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Reference Title Level of Delegation 


Article 41(1)- |Accreditation of a body to Deputy Commissioner 
(2),(5) and monitor compliance with a 
Article 58(3)(e) |sector code of conduct, revoking 
accreditations 


Article 42(1) Encouraging certification Level E 
mechanisms 

Article 42(5) Issuing certifications Level G! 

and Article 

58(3)(f) 

Article 42(7) Revoking certifications Level G? 


Article 43(1) Accrediting certification bodies |Level G? 
(in line with Schedule 17 of the 


DPA 18) 
Article 43(4), | |Revoking accreditations Level G* 
(7) 
Article 57(1)(b), Promoting public awareness and |Level E 
(d) understanding and promoting 
awareness of obligations 
Article 57(1)(e) |Providing information to Level C 
subjects, and co-operating with 
supervisory authorities 
Article 57(1)(h) |Conducting investigations Level E 


Article 57(1)(j) |Adopting standard contractual |Deputy Commissioner 
and Article clauses and issuing standard 
58(3)(g) data protection clauses 


Article 57(1)(k) |Establishing and maintaining a |Deputy Commissioner 
list of DPIA requirements 


Article 57(1)(n) |Encouraging certification Level D 
mechanisms, seals and marks 


1 While the ICO has power to issue certifications, we do not currently exercise that 
power. This will be done by certification bodies. However, should the ICO begin to use 
power, this is the level of delegation. 

? See Footnote 1. 

3 While the ICO has power to revoke accreditation of certification bodies, we do not 
currently exercise that power. This will be done by the national accreditation body 
(UKAS). However, should the ICO begin to use power, this is the level of delegation. 

4 See Footnote 3 


Reference 


Title 


Level of Delegation 


Article 57(1)(n) 


Approving criteria for 
certification mechanisms seals 
and marks 


Deputy Commissioner 


Article 57(1)(0) |Periodically reviewing Level G° 
certifications 
Article Maintain a public register of Level G 
57(1)(0a) certification mechanisms, data 
protection seals and marks and 
controllers or publishers 
established in third countries 
Article 57(1)(p) |Drafting and publishing Level G 


requirements for accreditation 
of body monitoring codes of 
conduct and certification bodies 


Article 57(1)(q) 


Conducting accreditation 


Deputy Commissioner® 


Article 57(1)(r) 
and Article 
58(3)(h) 


Authorising contractual clauses 


Deputy Commissioner 


Article 57(1)(u) 


Keeping internal records of 
infringements and action taken 


Level C 


Article 57(1)(v) 


Any other tasks related to the 
protection of personal data 


Chief Regulatory Officer 


Article 57(2) Providing a complaint Level C 
submission form 

Article 58(1)(c) |Reviewing issued certifications [Level G2’ 

Article 58(1)(d) |Notifying controllers of alleged Level C 
infringements 

Article 58(2)(a) Issuing warnings that intended [Level G 
processing is likely to infringe 

Article 58(2)(i) |Imposing administrative fines Level G 


5 See Footnote 1 


6€ While the ICO has power to conduct accreditation of certification bodies, we do not 
currently exercise that power. This will be done by the national accreditation body 
(UKAS). However, should the ICO begin to use power, this is the level of delegation. 
7 See Footnote 1 


Reference 


Title 


Level of Delegation 


Article 58(2)(j) 


Suspending data flows to a third 
country 


Deputy Commissioner 


3. Delegation of the Commissioner’s regulatory functions 


provided for under The Freedom of Information Act 2000 


whether a public authority is 
following good practice 


Reference Title Level of Delegation 
FOIA, duties As a listed public authority to Level D 
under sections |which FOIA applies, concerning 
1, 16 and 17 responding to requests for 
information and providing 
advice and assistance 
Section 19(5), |Revocation of approval of a Level F 
(6), (7) publication scheme 
Section 20(1), |jApproval, rejection or approval |Level G2 
2), (4), (5 of model publication schemes 
(6) 
Section 45(4) Responding to consultation on |Level G2 
code of practice 
Section 46(5) Responding to consultation on |Level G2 
code of practice 
Section 47(2) Dissemination of expedient Level C 
information about the operation 
of FOIA, good practice and other 
matters 
Section 47(3) Assessing, with consent, Level C 


Section 47(4) 


The determination of charges 
for relevant services under (5) 


Deputy Commissioner 


Ireland 


Section 47(4D) |Responding to consultation on |Level G2 
relevant chargeable services 

Section Consultation of the Keeper of Level G2 

47(5)(a) Public Records 

Section Consultation of the Deputy Level G2 

47(5)(b) Keeper of Records of Northern 


19 


Reference Title Level of Delegation 

Section 48(1) Issuing a good practice Level F 
recommendation 

Section 48(3) |Consultation of the Keeper of Level G2 
Public Records before the issue 
of a recommendation in certain 
cases 

Section 48(4) |Consultation of the Deputy Level G2 
Keeper of Records of Northern 
Ireland before the issue of a 
recommendation in certain 
cases 

Section 50 Determination of applications Level E 
for a decision 

Section 51 The issue (and cancellation) of |Level E 
information notices 

Section 52 The issue (and cancellation) of |Level E 
enforcement notices 

Section 54(1) (Certification to the court of a Level G 
failure to comply with a notice 

Section 76 Consideration of disclosure of Level E 
information to a listed 
ombudsman 

Section 76A Consideration of disclosure of Level E 
information to the Scottish 
Information Commissioner 

Section 77 Prosecution of the offence of Level F (Legal) 
altering records 

Schedule 3, Seeking a warrant for entry Level F 

para 1 and/or inspection, and 
complying with the procedural 
pre-conditions (para 2) 

Schedule 3, The execution of a warrant Level D 

para 4 

Schedule 3, Prosecution of the offence of Level F (Legal) 

para 12 obstruction of a warrant 
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4. Delegation of the Commissioner’s regulatory functions 
provided for under The Privacy and Electronic 
Communications Regulations 2003 


Powers of entry and inspection 


Reference Title Level of Delegation 
Regulation 5(6) |Security of public electronic Level E 
communications services 
Regulation Personal data breach Level G 
5A(7) 
Regulation 5B |Personal data breach: audit Level E 
Regulation 5C {Personal data breach: Level G 
enforcement 
Reg 25 Maintenance of the fax register |By Regulation 25(5), this has 
been outsourced to Telephone 
Preference Service Limited 
Reg 26 Maintenance of the telephone By Regulation 26(5), this has 
register been outsourced to Telephone 
Preference Service Limited 
Reg 29A(2) Requesting information from Level G 
communications providers in 
national security and law 
enforcement cases 
Regulation 31 |Enforcement - extension of part 
V_of the DPA988, set out below: 
Section 40 - Enforcement Level E 
notices 
Section 41 - Cancellation of Level E 
enforcement notices 
Section 41A - Assessment Level E 
notices 
Section 42 - Request for Level B 
assessment 
Section 43 - Information Level E 
notices 
Section 50 and Schedule 9 - Level D 


8 The references immediately below refer to the relevant provisions in the DPA1998 
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Reference Title Level of Delegation 
Regulation 31A |Enforcement: Third party Level E 
information notices 
Reg 33 requesting technical advice from|Level D 
Ofcom 
Schedule 1, Consideration, service and Level G 
paras 1-2 cancellation of an enforcement 
notice 
Schedule 1, Consideration, service and Level E 
para 4 cancellation of an information 
notice 
Schedule 1, Prosecution of non-compliance [Level G 
para 6 with notice offences 
Schedule 1, Consideration and service ofa |Level G 
paras 8A-8C monetary penalty notice 
Schedule 1, Seeking a warrant for entry Level G 
paras 10-10A _|and/or inspection and complying 
with the procedural pre- 
conditions 
Reg 31 read Executing a warrant Level E 
with para 4 of 
Schedule 9 
DPA98 
Reg 31 read Prosecution of obstruction Level F 
with para 12 of joffences 
Schedule 9 
DPA98 


5. Delegation of the Commissioner’s regulatory functions 
provided for under The Freedom of Information (Time for 
Compliance with Requests) Regulations 2004 


United Kingdom 


Reference Title Level of Delegation 
Regulation 5 Operations of armed forces of |Level C 

the Crown 
Regulation 6 Information held outside the Level C 
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6. Delegation of the Commissioner’s regulatory functions 
provided for under The Environmental Information 
Regulations 2004 


Reference Title Level of Delegation 
Duties under As a public authority to which |Level D 
regs 5,9 and_ |the EIR applies, concerning 
14 responding to requests for 
information and providing 
advice and assistance 
Regulation Issue of a code of practice and |The delegated authority for this 
16(5) functions of the Commissioner |Regulation is the same as those 
[The general functions of the given for Section 47 (and its 
Commissioner under section 47 /Sub-sections) of the FOIA as 
of the [FOIA] shall apply for the |detailed in part 3 of this 
purposes of these document 
Regulations... ] 
Regulation Enforcement and appeal The delegated authority for this 
18(1) provisions [The enforcement Regulation is the same as those 
and appeals provisions of the given for the enforcement and 
[FOIA] shall apply for the appeals provisions of the FOIA; 
purposes of these Regulations _ |i.e. Sections 50 to 54(1) as 
as they apply for the purposes |detailed in part 3 of this 
of the Act... ] document 
Regulation Prosecution of offence of Level F 
19(4) altering records 


7. Delegation of the Commissioner’s regulatory functions 
provided for under The Re-use of Public Sector Information 
Regulations 2015 


Reference 


Title 


Level of Delegation 


Regulation 18 


Enforcement and appeals 
provisions [...the relevant 
enforcement and appeals 
provisions of the [FOIA] apply 
for the purposes of these 
Regulations as they apply for 
the purposes of this Act... ] 


The delegated authority for this 
Regulation is the same as those 
given for the enforcement and 
appeals provisions of the FOIA; 
i.e. Sections 50 to 54(1) as 
detailed in part 3 of this 
document 
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Reference 


Title 


Level of Delegation 


Regulation 
19(2) 


Enforcement and appeals 
provisions: regulation 15(5) 
charging exemptions [...the 
relevant enforcement and 
appeals provisions of the [FOIA] 
apply for the purposes of these 


The delegated authority for this 
Regulation is the same as those 
given for the enforcement and 
appeals provisions of the FOIA; 
i.e. Sections 50 to 54(1) as 
detailed in part 3 of this 


Scottish Information 
Commissioner 


Regulations as they apply for document 
the purposes of this Act... ] 
Regulation 20 |Information sharing with Level D 


8. Delegation of the Commissioner’s regulatory functions 
provided for under The INSPIRE Regulations 2009 


Reference 


Title 


Level of Delegation 


Regulation 11 


Enforcement and appeals in 
relation to public access [The 
enforcement and appeals 
provisions in the [FOIA] apply 
for the purposes of regulations 
7(4)(c) and 9 as they apply for 
the Act] 


The delegated authority for this 
Regulation is the same as those 
given for the enforcement and 
appeals provisions of the FOIA; 
i.e. Sections 50 to 54(1) as 
detailed in part 3 of this 
document 


9. Delegation of the Commissioner’s regulatory functions 
provided for under The Electronic Identification and Trust 
Services for Electronic Transactions Regulations 2016 


Reference 


Title 


Level of Delegation 


Paragraph 1 of 
Schedule 1 


Monetary penalties 


The delegated authority for this 
paragraph is the same as that 
given for Section 155 of the DPA 
as detailed in part 1 of this 
document 


Paragraph 1 of 
Schedule 2 


Enforcement powers [For the 
purpose of these Regulations 
and the eIDAS Regulations, the 
following Sections of the [DPA] 
apply...] 


The delegated authority for this 
paragraph is the same as those 
given for Sections 140-160 and 
Section 197 of the DPA as 
detailed in part 1 of this 
document. 
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Reference 


Title 


Level of Delegation 


Regulation 3(2) 


Enforcement of Chapter III of 
Regulation (EU) No 910/2014 


The delegated authority for this 
paragraph is the same as those 
given for Sections 140-160 and 
Section 197 of the DPA as 
detailed in part 1 of this 
document. 


10. Delegation of the Commissioner’s regulatory functions 
provided for under Regulation (EU) No 910/2014 of the 
European Parliament and of the Council of 23 July 2014 on 
electronic identification and trust services for electronic 
transactions in the internal market, as amended by The 
Electronic Identification and Trust Services for Electronic 


Transactions (Amendment etc.) (EU Exit) Regulations 2019 


Reference 


Title 


Level of Delegation 


Article 17(4)(b) 


To analyse conformity 
assessment reports referred to 
in Articles 20(1) and 21(1) 


Level G 


Article 17(4)(c) 


to inform the public about 
breaches of security or loss of 
integrity in accordance with 
Article 19(2); 


Level G 


Article 17(4)(e) 


To carry out audits or request a 
conformity assessment body to 
perform a conformity 
assessment of the qualified trust 
service providers in accordance 
with Article 20(2); 


Level G 


Article 17(4)(g) 


to grant qualified status to trust 
service providers and to the 
services they provide and to 
withdraw this status in 
accordance with Articles 20 and 
21; 


Deputy Commissioner 
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Reference 


Title 


Level of Delegation 


Article 17(4)(h) 


to inform the body responsible 
for the trusted list referred to in 
Article 22(3) about its decisions 
to grant or to withdraw qualified 
status, unless that body is also 
the supervisory body 


Level G 


Article 17(4)(i) 


to verify the existence and 
correct application of provisions 
on termination plans in cases 
where the qualified trust service 
provider ceases its activities, 
including how information is 
kept accessible in accordance 
with point (h) of Article 24(2); 


Level G 


Article 17(4)(j) 


to require that trust service 
providers remedy any failure to 
fulfil the requirements laid down 
in this Regulation. 


Level E 


11. Delegation of the Commissioner’s regulatory functions 
provided for under The Network and Information Systems 
Regulations 2018 


3(4)(a)-(c) and 
3(5)(b) 


competent authorities 


Reference Title Level of Delegation 
Regulation Designation of national Deputy Commissioner 


Regulation 6(1) |Information sharing with Level D 
relevant listed bodies 

Regulation Relevant digital service Level G2 

12(8), (10 providers 

12), (13), (14 

and (15) 

Regulation 13 |Co-operation and action across |Level G2 
member state boundaries 

Reg 14(1) Maintaining a register of all Level F 
notified RDSPs 

Regulation Information Notices Level E 

15(3) and (7) 
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made in relation to an RDSP 


Reference Title Level of Delegation 
Regulation Power of inspection Level D 
16(2) and (4) 
Regulation 17 |Enforcement for breach of Level E 
duties 
Regulation 18 |Penalties [serving of a penalty j|Level G 
notice] 
Regulation Appoint an independent Level G2 
19(2) reviewer of penalty decisions 


Regulation 21 


Fees 


Deputy Commissioner 


12. Delegation of the Commissioner’s regulatory functions 
provided for under The Consumer Credit Act 1974 


Reference 


Title 


Level of Delegation 


Section 159 


Correction of wrong information 


Level E 


13. Delegation of the Commissioner’s regulatory functions 
provided for under The Investigatory Powers Act 2016 


Commissioner in relation to Part 
4 (Retention of Communications 
data) 


Reference Title Level of Delegation 
Section 70 and |Relevant public authorities and |jLevel G 

Schedule 4 designated senior officers etc 

Section 244 Oversight by the Information Level F 


14. Delegation of the Commissioner’s regulatory functions 
provided for under Computer Misuse Act 1990 


Reference 


Title 


Level of Delegation 


Sections 1, 2, 
3, 3ZA, 3A 


Prosecution of offences 


Level F 
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15. Delegation of the Commissioner’s regulatory functions 
provided for under Regulation of Investigatory Powers Act 


2000 
Reference Title Level of Delegation 
Section 28, Authorisation to carry out Level G 


read with para 
27A of Part 1 of 
Schedule 1 


directed surveillance 


16. Delegation of the Commissioner’s regulatory functions 


provided for under Digital Economy Act 2017 


Reference 


Title 


Level of Delegation 


Section 43(5) 


Responding to the Secretary of 
State on consultation on a code 
of practice 


Deputy Commissioner 


Section 44(4) 


Responding to the appropriate 
national authority on 
consultation on regulations 


Deputy Commissioner 


Section 48(11) 


Responding to the appropriate 
national authority on 
consultation on regulations 


Deputy Commissioner 


Section 52(5) 


Responding to a Minister on 
consultation on a code of 
practice 


Deputy Commissioner 


Section 53(3) 


Responding to a Minister on 
review of legislation 


Deputy Commissioner 


Section 56(12) 


Responding to a national 
authority on consultation on 
regulations 


Deputy Commissioner 


Section 60(5) 


Responding to a Minister on 
consultation on a code of 
practice 


Deputy Commissioner 


Section 61(3) 


Responding to a Minister on 
review of legislation 


Deputy Commissioner 


Section 70(7) 


Responding to the Statistics 
Board on a consultation on a 
code of practice 


Level G 
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Reference 


Title 


Level of Delegation 


Section 71(6) 


Responding to the Statistics 
Board on a consultation on 
conditions 


Level G 


17. Delegation of the Commissioner’s regulatory functions 
provided for under Small Business, Enterprise and 
Employment Act 2015 (read with regulation 2 and Schedule 1 to 
the Business Impact Target (Relevant Regulators) Regulations 


2017) 
Reference Title Level of Delegation 
Section 24A Publication of a variety of Level G2 
required documents concerning 
duty on relevant regulators to 
assess economic impact 
Section 26 Amendments to published Level G2 


documents in light of 
amendments to targets and 
determinations made by 
Secretary of State 


18. Delegation of the Commissioner’s regulatory functions 
provided for under Consumer Rights Act 2015 


carried out for purposes of ICO’s 
designation under section 213 
of the Enterprise Act 2002 as an 
enforcer] 


Reference Title Level of Delegation 
Schedule 3 Consideration of complaints Level C 
para 2 about terms in consumer 

contracts, liaising with the CMA 
Schedule 3, Applying for an injunction Level G 
para 3 against a person using such a 

term 
Schedule 3, Accepting undertakings in lieu jLevel G 
para 6 
Schedule 5, Power to purchase products [all |Level G 
para 21 Schedule 5 functions to be 
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Reference Title Level of Delegation 
Schedule 5 Power to observe the carrying |Level G 
para 22 on of business 

Schedule 5, Power to enter non-dwelling Level G 
para 23 premises without a warrant 

Schedule 5, Power to inspect a product on |Level E 
para 25 premises 

Schedule 5, Power to break open container |Level E 
para 31 

Schedule 5, Power to enter premises with a |Level E 
para 32 warrant 

Schedule 5 Power to require assistance Level E 
para 34 from persons on premises 


19. Delegation of the Commissioner’s regulatory functions 
provided for under Registration Service Act 1953 


Ref Title Level of Delegation 
Section Responding to the Registrar Level G 
19AC(5) General on consultation on code 

of practice 


20. Delegation of the Commissioner’s regulatory functions 
provided for under Statistics and Registration Service Act 2007 


Reference 


Title 


Level of Delegation 


Section 45E(8) 


Responding to the Statistics 
Board on consultation on 
statement 


Level G 


21. Delegation of the Commissioner’s regulatory functions 
provided for under Serious Crime Act 2007 


Reference 


Title 


Level of Delegation 


Section 71(2) 


Responding to the Secretary of 
State on consultation on code of 
practice 


Deputy Commissioner 
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22. Delegation of the Commissioner’s regulatory functions 
provided for under Public Audit (Wales) Act 2004 


Reference Title Level of Delegation 
Section 64G(3) |Responding to the Auditor Deputy Commissioner 


General for Wales on 
consultation on code of data 
matching practice 


23. Delegation of the Commissioner’s regulatory functions 
provided for under Audit and Accountability (Northern Ireland) 
Order 2003 


Reference Title Level of Delegation 


Article 4G(3) Responding to the Comptroller |Deputy Commissioner 
and Auditor General on 
consultation on code of data 
matching practice 


24. Delegation of the Commissioner’s regulatory functions 
provided for under Representation of the People Act 1983 


Reference Title Level of Delegation 


Section 53(5) |Responding to the Secretary of /Deputy Commissioner 
State on consultation on 
regulations 


25. Delegation of the Commissioner’s regulatory functions 
provided for under Protection of Freedoms Act 2012 


Reference Title Level of Delegation 


Section 29(5) |Responding to the Secretary of /Deputy Commissioner 
State on consultation on 
surveillance camera code of 
practice 


Section 33(8) |Responding to the Secretary of /Deputy Commissioner 
State on consultation on order 
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26. Delegation of the Commissioner’s regulatory functions 
provided for under Local Audit and Accountability Act 2014 


Reference Title Level of Delegation 
Schedule 9 Responding to a Minister on Deputy Commissioner 
para 7(3) consultation on code of practice 


27. Delegation of the Commissioner’s regulatory functions 
provided for under Equality Act 2010 (Specific Duties and 
Public Authorities) Regulations 2017 


Reference Title Level of Delegation 
Regulation 4, Duty to publish annual Level G2 
read with information demonstrating 
Schedule 2 compliance with section 149 of 
the Equality Act 2010 


28. Delegation of the Commissioner’s regulatory functions 
provided for under information/data related offences which the 
ICO has competence to prosecute in accordance with the 
principles in R v Rollins [2010] UKSC 39 


Reference Title Level of Delegation 


R v Rollins Any information/data related Level F 
[2010] UKSC 39}|offences which the ICO has 
competence to prosecute in 
accordance with the principles in 
R v Rollins [2010] UKSC 39 


29. Delegation of the Commissioner’s duties and obligations 
relating to financial and procurement matters 


Overview of financial management at the ICO 


The Information Commissioner is a Corporation Sole as established under 
the DPA2018. The Department for Digital, Culture, Media and Sport 
(DCMS) is the sponsoring department for the ICO and the relationship 
with the department is governed by the Management Agreement. 


The Accounting Officer of the DCMS has designated the Information 
Commissioner as Accounting Officer for her office, the ICO. The 
responsibilities of an Accounting Officer, including responsibility for the 
propriety and regularity of the public finances and for the keeping of 
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proper records and for safeguarding the Information Commissioner’s 
assets, are set out in the Non-Departmental Public Bodies’ Accounting 
Officer Memorandum issued by the Treasury and published in Managing 
Public Money. 


As Accounting Officer, the Information Commissioner has delegated 
executive responsibility to the Chief Operating Officer for effective 
financial stewardship as Accountable Officer. This is a contractual 
responsibility and allows the Information Commissioner to have a 
separate, and not term-limited, accountable person charged with 
stewardship and probity for our use of public money. 


The Information Commissioner’s financial settlement is as set out in its 
Spending Review Settlement letter and any further allocation letters. 


The Information Commissioner and her office are funded through a 
combination of charges levied on relevant public stakeholders and grant 
in aid funding paid out of money provided by Parliament; specifically: 


° Expenditure on data protection activities is financed through the 
retention of data protection charges collected from data controllers in 
accordance with the Data Protection (Charges and Information) 
Regulations 2018. 


° DCMS pays to the Information Commissioner appropriate sums (the 
grant in aid) for ICO administrative costs and the exercise of the 
Information Commissioner's functions in relation to a number of 
specific functions including the office's freedom of information work. 


° Additional grant in aid is paid by other departments in accordance 
with the requirements of relevant legislation. 


The Management Agreement with the DCMS states that the ICO is subject 
to the latest Cabinet Office spending controls and the DCMS thresholds for 
spending controls as set out in the latest DCMS Spending Control 
Guidance. 


The only exception to this is that, for all advertising and marketing 
expenditure under £100,000 the Information Commissioner is only 
required to request approval directly from the DCMS Sponsorship Team as 
opposed to completing the formal approval process. 


The Management Agreement also states that the ICO must comply with 
the Public Contracts Regulations 2015 in its procurement activity. In 
addition the ICO is subject to certain thresholds when tendering for a 
procurement opportunity as detailed in Procurement Policy Notes and 
https://www.ojec.com/thresholds.aspx 


33 


External links 


Cabinet Office Spending Controls: 
https://www.gov.uk/government/collections/cabinet-office-controls 


Management Agreement: 


https://ico.org.uk/media/about-the- 


ico/documents/2259800/management-agreement-2018-2021.pdf 


Managing Public Money: 
https://www.gov.uk/government/publications/managing-public-mone 


Delegations 


The ICO Procurement and Contract Management Policy (available here) 
details how the office is to procure services and manage contracts. It 
includes the following delegations authorising staff at specific grades and 
job roles to be contract signatories. These delegations are formally 
authorised by this scheme. 


Authorised Contract Signatories 


Designated Officer Maximum contract value and type 


Commissioner or DCEO/COO plus e Unlimited 
Head of Finance (level G) or 
Director of Finance (level G2) 


e All contracts? 
e MoUs 


e Government spending control 
authorisations specified for the 
Commissioner 


Level H plus Head of Finance (level |e Unlimited 


G) or Director of Finance (level G2) | , All contracts? 


e MoUs 


Director (level G2) plus Head of e Up to £1,000,000 for IT contracts 


Finance (level G) e Up to £500,000 for all other 
contracts? 


e MoUs 


? except those requiring the Commissioner’s Seal which only the Commissioner or an 
officer with specific delegated authority under paragraph 7 of schedule 12 to the Data 
Protection Act 2018 can sign 
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Designated Officer 


Maximum contract value and type 


Director (level G2) 


e MoUs 


e Up to £100,000 for all contracts! 


Head of Department (level G) o 


Up to £25,000 


Purchase orders and invoices 


Staff Level Maximum authority Sign off bank 
to sign off purchase payments up to any 
orders & invoices amount 

Level H Unlimited Yes 

Director of Finance or Unlimited Yes 

Head of Finance 

Level G2 £1,000,000 Yes 

Level G £1,000,000 Yes 

Level F £50,000 Not applicable 

Level E £10,000 Not applicable 

Level D £5,000 Not applicable 


Corporate charge cards 


Corporate charge cards standard limits on card application 


Staff Level Maximum authorised spend (per month) 
Level H £50,000 

Director of Finance or £50,000 

Head of Finance 

Level G2 £50,000 

Level G £50,000 

Level F £10,000 

Level E £5,000 

Level D and C £2,5001° 


Expenses and corporate charge card sign off for senior managers 


Executive Team members (Level H) and the Commissioner should have all 
direct expenses and corporate charge card expenditure signed off by the 


10 or where duties require a higher limit, and with the agreement of the Director of 


Finance, £10,000. 
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Director of Finance (deputised by the Head of Finance in exceptional 
circumstances). 

Directors (Level G2) should have all expenses signed off by their line 
manager (deputised by the Director of Finance in the first instance and 
the Head of Finance in exceptional circumstances). 
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Annex 1 — Deputising for the Information Commissioner 


In the event that the Commissioner is unable to act, or there is a vacancy 
in the office of the Commissioner, the delegations set out in this scheme 


still apply. 


For the purposes of Schedule 12, paragraph 6(1)(a) and (b) of the Data 
Protection Act 2018, the following powers are those which are reserved 
for the Commissioner. In the event that the Commissioner is for any 
reason unable to act or there is a vacancy in the office of Commissioner, 
these powers will be exercised by the relevant Deputy Commissioner 
identified below. These Deputy Commissioners cannot take action on 
powers set out here unless the Commissioner is unable to act or there is a 
vacancy in the office of Commissioner. 


Ref 


Title 


Delegation 


Data Protection Act 2018 


Section 139(1) 
and UK GDPR 
Article 59 


Producing an annual report to 
Parliament, laying it and 
publishing it. 


Deputy Chief Executive Officer 
(Chief Operating Officer) 


Section 139(3) 


Producing, laying and 
publishing other reports to 
Parliament. 


Chief Regulatory Officer 


Schedule 12, 
para 11 


Preparation etc of accounts 


Deputy Chief Executive Officer 
(Chief Operating Officer) 


In addition, the ICO’s internal practices state that the Commissioner shall 
be responsible for convening meetings of the Regulatory Panel and 
agreeing the membership of each Panel meeting. In the event of the 
circumstances of Schedule 12, paragraph 6(1)(b) applying, the Chief 
Regulatory Officer will exercise this responsibility. 


Any other powers or legislation not specified herein which apply to the 
Information Commissioner or the Information Commissioner’s Office 


Note: in the event of a decision being required which covers both of the 
matters below, the decision will be taken by the Deputy Chief Executive 
Officer (Chief Operating Officer) 


Description 


Delegation 


Any other duties which are consistent with the 
Information Commissioner’s role as a Chief 
Executive of a UK public sector organisation. 
This includes any duties in relation financial 


Deputy Chief Executive Officer 
(Chief Operating Officer) 
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Description Delegation 


reporting, performance reporting, or similar and 
any other powers or duties which are common 
to a broad plurality of other UK public sector 
organisations. 


Any other duties which are consistent with the Chief Regulatory Officer 
Information Commissioner’s regulatory role. 
This includes any duties which are consistent 
with the Information Commissioner’s role as the 
regulator for the Data Protection Act, Freedom 
of Information Act, Privacy and Electronic 
Communications Regulations, Environmental 
Information Regulations, any other acts listed 
within this Scheme of Delegation, and any 
similar acts not included within the Scheme of 
Delegation. 


Note: in addition to the delegations above, as set out earlier in this scheme, the 
Commissioner has delegated the power under Article 57(1)(v) of the UK GDPR 
(“Any other tasks related to the protection of personal data”) to the Chief 
Regulatory Officer. This is a power that the Chief Regulatory Officer can exercise 
even if the Commissioner is in office and able to act, but a reference is included 
to it in this annex to give a reminder and clarity that this delegation exists. 


In the event that, at the same time as the Commissioner being unable to 
act or there being a vacancy in the office of Commissioner, the Chief 
Regulatory Officer is also unable to act, the Deputy Chief Executive Officer 
(Chief Operating Officer) will exercise the powers described in this annex 
(and vice versa). In the event that both the Deputy Chief Executive (Chief 
Operating Officer) and the Chief Regulatory Officer are unable to act, the 
Deputy Commissioner (Regulatory Strategy) will exercise the powers 
described in this annex. In the event that all three are unable to act, the 
Deputy Commissioner (Regulatory Futures and Innovation) will exercise 
the powers described in this annex. 


In the event that the Commissioner is unable to act or there being a 
vacancy in the office of the Commissioner, the Chief Operating Officer 
shall exercise the power of the Commissioner under paragraph 5(1)(a) of 
Schedule 12 to appoint Deputy Commissioners. 


In the event that the Commissioner is unable to act or there being a 
vacancy in the office of the Commissioner, the Chief Operating Officer 
shall exercise the power of the Commissioner under paragraph 6(3) of 
Schedule 12 to authorise any function of the Commissioner to be carried 
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out by any of her officers or staff by way of amending this Scheme of 
Delegation. 


As set out in the Management Board terms of reference, in the event that 
the Information Commissioner is unable to attend a Management Board 
meeting, the Senior Independent Director will chair the meeting. 
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